import { SignJWT, jwtVerify } from "jose";
import { cookies } from "next/headers";

const COOKIE = "admin_session";
const getSecret = () =>
  new TextEncoder().encode(
    process.env.AUTH_SECRET || "dev-only-secret-min-32-characters-long!!"
  );

export async function createAdminToken(email: string): Promise<string> {
  return new SignJWT({ sub: email, role: "admin" })
    .setProtectedHeader({ alg: "HS256" })
    .setIssuedAt()
    .setExpirationTime("7d")
    .sign(getSecret());
}

export async function verifyAdminToken(
  token: string
): Promise<{ email: string } | null> {
  try {
    const { payload } = await jwtVerify(token, getSecret());
    const email = payload.sub as string;
    if (!email) return null;
    return { email };
  } catch {
    return null;
  }
}

/** Cookie Secure só com HTTPS; em http://192.168... o navegador descarta cookie se secure=true */
function cookieSecure(): boolean {
  const site = process.env.NEXT_PUBLIC_SITE_URL || "";
  if (site.startsWith("https://")) return true;
  if (process.env.COOKIE_SECURE === "1") return true;
  return false;
}

export async function setAdminSession(token: string) {
  const jar = await cookies();
  jar.set(COOKIE, token, {
    httpOnly: true,
    secure: cookieSecure(),
    sameSite: "lax",
    path: "/",
    maxAge: 60 * 60 * 24 * 7,
  });
}

export async function clearAdminSession() {
  const jar = await cookies();
  jar.delete(COOKIE);
}

export async function getAdminSession(): Promise<{ email: string } | null> {
  const jar = await cookies();
  const token = jar.get(COOKIE)?.value;
  if (!token) return null;
  return verifyAdminToken(token);
}